PSD3 impacts on Payment and Electronic Money Institution authorization

PSD3 focuses on authorization and supervision requirements, bringing challenges for Payment Institutions and Electronic Money Institutions.

On the 28^th of June 2023, the European Commission (EC) published its draft proposal of a Payment Services package which should replace the second Payment Services Directive (PSD2).

The proposed draft Payment Service package is composed of 2 legislative acts :

• The proposed draft Payment Services Regulation in the internal market (PSR)
  
  The PSR will address all rules concerning PSP activities, and will also embed some requirements from the Regulatory Technical Standards for Strong Customer Authentication and Common and Secure open standards of Communication (RTS on SCA & CSC), as well as requirements from European Banking Authority guidelines and opinions. Further information on changes brought by the PSR is available here.
  
  
• The proposed draft Directive on Payment Services and Electronic Money Services in the internal market (PSD3)
  
  PSD3 will incorporate Electronic Money Institutions (EMIs) as a sub-category of Payment Institutions (PIs) and therefore embed, and subsequently repeal, the existing Electronic Money Directive (Directive 2009/110/EC). PSD3 will tackle the following topics:
  
  • Authorization to providing payment services, also known as licensing or registration;
  • Supervision of PIs and EMIs; and
  • Cash withdrawal services by retailers without purchase and independent ATM deployers.

The following measures are included in the draft PSD3:

Authorization

The content of the application for authorization to be submitted to the National Competent Authority (NCA) is mainly unchanged, with the exception of:

• Business continuity: business continuity arrangements should now be compliant with Regulation (EU) 2022/2554 on digital operational resilience;
• Security: the revised application requires a detailed risk assessment, including the risk of fraud and illegal use of sensitive and personal data, along with measures for sharing fraud-related data as introduced under the PSR;
• Other applications: PIs must, provide an overview of the EU jurisdictions where they are submitting or planning to submit an application for authorization.
• Winding-up plan: PIs must provide their winding-up plan in case of failure, which is to be adapted to the envisaged size and business model of the applicant.

Furthermore, the obligation for a PI to have its head and registered offices in the same Member State and to carry out part of it activities there still applies. However it is clarified that conducting "part" of the activities in that Member State does not necessarily mean the majority of its business activities.
 

Professional indemnity insurance and initial capital

Experience has shown that Account Information Service Providers (AISPs) seeking an authorization face difficulties to obtain the professional indemnity insurance. The draft PSD3 therefore provides these Payment Institutions with the option to hold EUR 50,000 of initial capital instead of a professional indemnity insurance.

On the other hand, the initial capital requirement per other Payment Institutions has been adjusted, to reflect experienced inflation.
 

Own funds

The draft PSD3 maintains the existing own funds calculation methods but designates method B, which relies on transaction volumes, as the default method. However, Payment Institutions with specific business models may use alternative methods. The European Banking Authority (EBA) is expected to specify the criteria to be used to benefit from this alternative.
 

Safeguarding

The safeguarding rules remain mostly unchanged, except for the introduction of an option to safeguard funds in an account at a Central Bank. It is also expected that the EBA develops regulatory technical standards on safeguarding requirements.
 

Cross-border provisions of services

Rules pertaining to the cross-border provisions of services remain mostly unchanged in the draft PSD3. However, specific clarifications are provided for cases involving three Member States, such as scenarios where a PI offers payment services in a Member State other than its home Member State through an agent located in a third Member State.

Cash withdrawals

In the draft PSD3, retail stores do not have to obtain a PI authorization to offer cash withdrawals without a purchase. However, this exemption only applies if the cash withdrawal is below EUR 50 and takes place within the retail store premises. Independent ATM deployers are also excluded from authorization obligations.
 

Next steps

Member States will be required to transpose the Directive into national laws within 18 months of the publication of the final proposal.

What does it mean for authorized PIs under the PSD2 or authorized EMIs under the Electronic Money Directive?

Under the new legal authorization regime introduced by PSD3, authorizations already granted to PIs and EMIs will remain valid for an additional 24 months, as from the entry into force of PSD3. However, these PIs and EMIs will have to submit a new application to their NCA at the latest 18 months after the entry into force of PSD3, leaving the NCA the time to assess compliance.

It is crucial for authorized PIs and EMIs to identify and assess the impacts of PSD3 on their application, to be able to keep their authorization.